Since the TPM CA's certificate must be signed by a CA, a root certificate authority will also be created and will sign this certificate. The root CA's private key and certificate will be located in the same directory as the signing key and have the names swtpm-localca-rootca-privkey.pem and swtpm-localca-rootca-cert.pem respectively. The environment variable SWTPM_ROOTCA_PASSWORD can be set for the password of the root CA's private key.
Note: This tool is experimental. See the section on known issues below.
The following options are supported:
Note: Due to a bug in GnuTLS certtool it may be necessary to use the same password for the signing key as for the SRK.
Note: Since GnuTLS tpmtool does not support the 'well known' password of 20 zero bytes, the SRK password must be set.
The environment variables SWTPM_PKCS11_PIN and SWTPM_PKCS11_SO_PIN should be set to hold the PINs. If SWTPM_PKCS11_PIN is not set then the default PIN 'swtpm-tpmca' will be used. SWTPM_PKCS11_SO_PIN is needed for creating the token and must be explicitly set as an environment variable.
If the host's TPM is a TPM 1.2, we need to start the tcsd first and can then create the TPM key and TPM CA certificate:
#> sudo systemctl start tcsd #> sudo /usr/share/swtpm/swtpm-create-tpmca \ --dir /var/lib/swtpm-localca \ --overwrite \ --outfile /etc/swtpm-localca.conf \ --srk-password password \ --key-password password \ --group tss statedir = /var/lib/swtpm-localca signingkey = tpmkey:file=/var/lib/swtpm-localca/swtpm-localca-tpmca-privkey.pem issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem certserial = /var/lib/swtpm-localca/certserial TSS_TCSD_HOSTNAME = localhost TSS_TCSD_PORT = 30003 signingkey_password = password parentkey_password = password
Alternatively, if the host's TPM is a TPM 2 and Intel's TPM 2 stack is installed, we need to start tpm2-abrmd first and can then create the TPM key and TPM CA certificate:
#> sudo systemctl start tpm2-abrmd #> tpm2_ptool init action: Created id: 1 # this is the --pid parameter below #> sudo SWTPM_PKCS11_PIN="mypin 123" SWTPM_PKCS11_SO_PIN=123 /usr/share/swtpm/swtpm-create-tpmca \ --dir /var/lib/swtpm-localca \ --overwrite \ --outfile /etc/swtpm-localca.conf \ --group tss \ --tpm2 \ --pid 1 statedir = /var/lib/swtpm-localca signingkey = pkcs11:model=SW%20%20%20TPM\;manufacturer=IBM\;serial=0000000000000000\;token=swtpm-tpmca-1\;id=%31\;object=swtpm-tpmca-key\;type=private issuercert = /var/lib/swtpm-localca/swtpm-localca-tpmca-cert.pem certserial = /var/lib/swtpm-localca/certserial SWTPM_PKCS11_PIN = mypin 123
Note: This also works for non-root users by adapting the --dir and --outfile parameters here and below by changing the --dir parameter and adding a --config parameter.
To test either one of the above TPM CAs, run the following command:
#> swtpm_localca \ --type ek --ek x=11,y=13 \ --dir /tmp --vmid test --tpm2 \ --tpm-spec-family 2.0 --tpm-spec-revision 146 --tpm-spec-level 00 \ --tpm-model swtpm --tpm-version 20170101 --tpm-manufacturer IBM
The --tpm2 in this command indicates that the TPM for which the certificate is created is a TPM 2.
The effect of the authentication failures may be that the TPM CA cannot sign certificates since the TPM does not accept authenticated commands.